diff --git a/session-logs/2026-04-28-session.md b/session-logs/2026-04-28-session.md index b9535cb..c53768b 100644 --- a/session-logs/2026-04-28-session.md +++ b/session-logs/2026-04-28-session.md @@ -180,3 +180,68 @@ All work syncs bidirectionally via Gitea at 172.16.3.20:3000. **Session Duration:** ~10 minutes (sync + review only) **Commits During Session:** 0 (sync-only session) **Files Changed:** 0 (review-only session) + +--- + +## Note for Howard + +**RE: Cascades CA Role Gap & New Approval Workflow** + +### Approval Workflow (NEW - applies to all future work) + +Mike established a clear approval process today (documented in `.claude/memory/approval-workflow-tools-vs-projects.md`): + +**General Tools** (remediation-tool, onboard scripts, MSP utilities): +- **You can modify directly** to further your work +- **OR** I can execute changes with approval from you **OR** Mike +- No roadmap/planning process - immediate operational changes allowed + +**Projects** (GuruRMM, ClaudeTools API, etc.): +- Require Mike's approval for changes +- Feature requests → roadmap +- Bugs → bug list +- Structured development workflow + +### Cascades CA Fix - YOU ARE CLEARED TO PROCEED + +Mike reviewed your 2026-04-28 session log and **approves Path A** (Graph API role assignment). You're clear to test and confirm. + +**Execute these commands when ready:** + +```bash +# Get token for Cascades tenant +TOKEN=$(bash /path/to/vault/scripts/vault.sh get-field msp-tools/computerguru-tenant-admin.sops.yaml token) + +# Step 1: Activate the Conditional Access Administrator role in Cascades tenant (idempotent) +curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \ + "https://graph.microsoft.com/v1.0/directoryRoles" \ + -d '{"roleTemplateId":"b1be1c3e-b65d-4f19-8427-f6fa0d97feb9"}' + +# Step 2: Assign CA Administrator to Tenant Admin SP +curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \ + "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments" \ + -d '{ + "principalId": "a5fa89a9-b735-4e10-b664-f042e265d137", + "roleDefinitionId": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9", + "directoryScopeId": "/" + }' +``` + +(These are the exact commands from your session log lines 154-168.) + +### After You Confirm It Works + +Once you verify CA endpoints work (can read Named Locations, can read CA policies), ping Mike or me and we'll: +1. Patch `onboard-tenant.sh` to include this role assignment automatically +2. Document any tenants already onboarded that need backfill + +Then you can proceed with the rest of Track A: +- Add `184.191.143.62/32` to Cascades Named Location +- Exit Entra Connect staging +- Phone enrollment (Gates A5-A7) + +**Bottom line:** You're approved and unblocked. Execute Path A when ready. + +--- + +**Update added:** 2026-04-29 06:50 (Mike session on Mac)